Threat Summary

Overview

There is an insecure configuration/authentication bypass in the Oracle Glassfish server. This vulnerability allows a remote attacker to upload a malicious WAR file to execute arbitrary code on the server. This could lead to the compromise of the target system. In newer releases of the Glassfish server, remote access to the administration interface is not allowed by default.

Exploitation

Stages

The remote unauthenticated attacker sends the request ‘common/index.jsf’ on the admin port of the Glassfish server to retrieve the version of the server.

The server responds with a 200 OK and the server version is in the response.

The attacker, utilizing the server version, will either authenticate to the server with the supplied credentials (in some versions, the default username is ‘admin’ and the password ID is left blank) or they will bypass authentication by utilizing a lowercase HTTP request method, such as ‘post’ instead of ‘POST’.

The server will respond successfully, indicating that the attacker has access to the administration interface.

The attacker uploads their malicious WAR file to the server and the server responds with a 302. This is an indication of success.

The attacker sends a GET request to their malicious file to initiate their shell on the system.

Post exploit, the attacker un-deploys their uploaded file after the shell has been injected.

Prerequisites

The attacker may need the administrator credentials if the authentication bypass vulnerability is not a viable option.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.